Researchers create magstripe versions from EMV and contactless cards

Man use smart phone and holding credit card with shopping

Man use smart phone and holding credit card with shopping online. Online payment concept.

Getty Images/iStockphoto

A British security researcher has proven this week that it is still possible in 2020 to create older-generation magnetic stripe (magstripe) cards using details found on modern chip-and-PIN (EMV) and contactless cards, and then use the cloned cards for fraudulent transactions.

In a whitepaper named “It Only Takes A Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem,” Leigh-Anne Galloway, Head of Commercial Security Research at Cyber R&D Lab, tested modern card technologies from 11 banks from the US, the UK, and the EU.

Galloway discovered that four of the 11 banks still issued EMV cards that could be cloned into a weaker magstripe version that could be abused for fraudulent transactions.



Image: Cyber R&D Lab

Under normal circumstances, this should not be possible. EMV cards were designed to be hard to clone, primarily due to the secure chip included with each one.

However, Galloway’s whitepaper explains in a step-by-step guide on how to take data from an EMV card and create an older-generation magnetic stripe clone.

This technique — of cloning a magstripe version from an EMV card — is not new and has been documented as far back as 2007.

Cloning magstripes from EMV data is, in fact, the way how many carding gangs still operate today.

Crooks use skimmer or shimmer devices to collect data on EMV cards, they create a magstripe clone, and then they use this clone to make fraudulent transactions at Point-of-Sale (POS) systems or withdraw money from ATMs in third-world countries where EMV cards have not been rolled out and magstripe cards are still accepted.

Banking industry still slow to adopt proper security practices

In her whitepaper, Galloway explains why this is still possible.

“First, the commonalities between magstripe and EMV standards for chip inserted and contactless mean that it’s possible to determine valid cardholder information from one technology and use it for another,” Galloway said.

“Secondly, magstripe is still a supported payment technology, likely because the adoption of chip-based cards has been slow in some geographic regions around the world.

“Third, although magstripe is a deprecated technology in many of the countries tested, cloned data is still effective because it is possible to cause the terminal and card to fallback to a magstripe swipe transaction,” the researcher added.

“Finally, card security codes, a critical point of card verification, are not checked at the time of the transaction by all card issuers.”

This last point is the more significant issue. As Galloway pointed out in a conversation on Twitter with this reporter, card security codes (CSC, CVV, or CVC values printed on a card) should be unique per technology and should always be validated.

While banks don’t have full control of what card/payment technologies are supported in other countries, and they’ll still have to support older technologies for legacy purposes, they have the power to verify transactions correctly.

However, as Steven Murdoch, Research Fellow at University College London, also pointed out on Twitter, the reality is that banks still fail to enforce this simple rule, even now, in 2020.

Transactions are still approved with the wrong security code, from another card technology, and even without it. By not properly verifying security codes, this leaves the door open for carding gangs to continue to operate by copying and downgrading the newer EMV cards into magstripe clones to abuse overseas, in countries where magstripe cards are still accepted.

Galloway said that while the whitepaper focused on EMV cards, contactless (NFC-based) cards can also be abused in the same way to create magstripe clones to be abused for fraudulent transactions.

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Crypto Scams

Cryptosoft Trading Bot Review
June 27, 2022
The Largest Crypto Scams Of 2022 (So Far)
The Largest Crypto Scams Of 2022 (So Far)
June 14, 2022
How Do Scammers Entice Their Prey?
May 10, 2022
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
April 23, 2022
Joon Pak Head of Crypto at Prove talks to Us about Crypto Fraud And More
April 11, 2022

Automated trading with HaasBot Crypto Trading Bots

Blockchain/Cryptocurrency Questions and Answers

Is The Crypto Market Combating A Lehman Brothers Moment?
Is The Crypto Market Combating A Lehman Brothers Moment?
June 30, 2022
Roundtable Interview-What is the Effect of The Russia-Ukraine War on Cryptocurrency Prices?
March 4, 2022
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin20,424 0.03 % 1.76 % 3.21 %
Ethereum1,093.1 0.71 % 0.32 % 4.49 %
Tether1.002 0.04 % 0.23 % 0.17 %
USD Coin1.002 0.27 % 0.10 % 0.01 %
BNB225.47 0.71 % 3.36 % 1.58 %
Binance USD1.004 0.92 % 0.16 % 0.35 %
XRP0.3317 0.53 % 1.70 % 1.13 %
Cardano0.4680 0.23 % 1.60 % 2.58 %
Solana34.99 0.97 % 6.50 % 8.43 %
Dogecoin0.06767 0.23 % 0.77 % 5.49 %

Bitcoin (BTC) $ 20,314.00
Ethereum (ETH) $ 1,087.91
Tether (USDT) $ 1.00
USD Coin (USDC) $ 1.00
BNB (BNB) $ 224.89
Binance USD (BUSD) $ 1.00
XRP (XRP) $ 0.331648
Cardano (ADA) $ 0.466079
Solana (SOL) $ 34.65
Dogecoin (DOGE) $ 0.067521